int(2516)

Boletines de Vulnerabilidades

Aumento de privilegios en PPP

Clasificación de la vulnerabilidad
Propiedad Valor
Nivel de Confianza Oficial
Impacto Aumento de privilegios
Dificultad Experto
Requerimientos del atacante Acceso remoto con cuenta

Información sobre el sistema
Propiedad Valor
Fabricante afectado GNU/Linux
Software afectado ppp <= 2.4.4
shadow

Descripción
Se ha descubierto una vulnerabilidad en ppp 2.4.4 y anteriores. La vulnerabilidad reside en un error en el plugin winbind para pppd que no comprueba correctamente el código de respuesta de la llamada de sistema setuid.

Un atacante local podría elevar privilegios haciendo que setuid falle lo que impediría que "winbind NTLM authentication helper" bajara el nivel de privilegios.

Solución


Actualización de software

Debian

Debian Linux 3.1
Source
http://security.debian.org/pool/updates/main/p/ppp/ppp_2.4.3-20050321+2sarge1.dsc
http://security.debian.org/pool/updates/main/p/ppp/ppp_2.4.3-20050321+2sarge1.diff.gz
http://security.debian.org/pool/updates/main/p/ppp/ppp_2.4.3.orig.tar.gz
Architecture independent
http://security.debian.org/pool/updates/main/p/ppp/ppp-dev_2.4.3-20050321+2sarge1_all.deb
Alpha
http://security.debian.org/pool/updates/main/p/ppp/ppp_2.4.3-20050321+2sarge1_alpha.deb
AMD64
http://security.debian.org/pool/updates/main/p/ppp/ppp_2.4.3-20050321+2sarge1_amd64.deb
ARM
http://security.debian.org/pool/updates/main/p/ppp/ppp_2.4.3-20050321+2sarge1_arm.deb
Intel IA-32
http://security.debian.org/pool/updates/main/p/ppp/ppp_2.4.3-20050321+2sarge1_i386.deb
Intel IA-64
http://security.debian.org/pool/updates/main/p/ppp/ppp_2.4.3-20050321+2sarge1_ia64.deb
HP Precision
http://security.debian.org/pool/updates/main/p/ppp/ppp_2.4.3-20050321+2sarge1_hppa.deb
Motorola 680x0
http://security.debian.org/pool/updates/main/p/ppp/ppp_2.4.3-20050321+2sarge1_m68k.deb
Big endian MIPS
http://security.debian.org/pool/updates/main/p/ppp/ppp_2.4.3-20050321+2sarge1_mips.deb
Little endian MIPS
http://security.debian.org/pool/updates/main/p/ppp/ppp_2.4.3-20050321+2sarge1_mipsel.deb
PowerPC
http://security.debian.org/pool/updates/main/p/ppp/ppp_2.4.3-20050321+2sarge1_powerpc.deb
IBM S/390
http://security.debian.org/pool/updates/main/p/ppp/ppp_2.4.3-20050321+2sarge1_s390.deb
Sun Sparc
http://security.debian.org/pool/updates/main/p/ppp/ppp_2.4.3-20050321+2sarge1_sparc.deb

Debian (Shadow)

Debian Linux 3.1
Source
http://security.debian.org/pool/updates/main/s/shadow/shadow_4.0.3-31sarge8.dsc
http://security.debian.org/pool/updates/main/s/shadow/shadow_4.0.3-31sarge8.diff.gz
http://security.debian.org/pool/updates/main/s/shadow/shadow_4.0.3.orig.tar.gz
Alpha
http://security.debian.org/pool/updates/main/s/shadow/login_4.0.3-31sarge8_alpha.deb
http://security.debian.org/pool/updates/main/s/shadow/passwd_4.0.3-31sarge8_alpha.deb
AMD64
http://security.debian.org/pool/updates/main/s/shadow/login_4.0.3-31sarge8_amd64.deb
http://security.debian.org/pool/updates/main/s/shadow/passwd_4.0.3-31sarge8_amd64.deb
ARM
http://security.debian.org/pool/updates/main/s/shadow/login_4.0.3-31sarge8_arm.deb
http://security.debian.org/pool/updates/main/s/shadow/passwd_4.0.3-31sarge8_arm.deb
Intel IA-32
http://security.debian.org/pool/updates/main/s/shadow/login_4.0.3-31sarge8_i386.deb
http://security.debian.org/pool/updates/main/s/shadow/passwd_4.0.3-31sarge8_i386.deb
Intel IA-64
http://security.debian.org/pool/updates/main/s/shadow/login_4.0.3-31sarge8_ia64.deb
http://security.debian.org/pool/updates/main/s/shadow/passwd_4.0.3-31sarge8_ia64.deb
HP Precision
http://security.debian.org/pool/updates/main/s/shadow/login_4.0.3-31sarge8_hppa.deb
http://security.debian.org/pool/updates/main/s/shadow/passwd_4.0.3-31sarge8_hppa.deb
Motorola 680x0
http://security.debian.org/pool/updates/main/s/shadow/login_4.0.3-31sarge8_m68k.deb
http://security.debian.org/pool/updates/main/s/shadow/passwd_4.0.3-31sarge8_m68k.deb
Big endian MIPS
http://security.debian.org/pool/updates/main/s/shadow/login_4.0.3-31sarge8_mips.deb
http://security.debian.org/pool/updates/main/s/shadow/passwd_4.0.3-31sarge8_mips.deb
Little endian MIPS
http://security.debian.org/pool/updates/main/s/shadow/login_4.0.3-31sarge8_mipsel.deb
http://security.debian.org/pool/updates/main/s/shadow/passwd_4.0.3-31sarge8_mipsel.deb
PowerPC
http://security.debian.org/pool/updates/main/s/shadow/login_4.0.3-31sarge8_powerpc.deb
http://security.debian.org/pool/updates/main/s/shadow/passwd_4.0.3-31sarge8_powerpc.deb
IBM S/390
http://security.debian.org/pool/updates/main/s/shadow/login_4.0.3-31sarge8_s390.deb
http://security.debian.org/pool/updates/main/s/shadow/passwd_4.0.3-31sarge8_s390.deb
Sun Sparc
http://security.debian.org/pool/updates/main/s/shadow/login_4.0.3-31sarge8_sparc.deb
http://security.debian.org/pool/updates/main/s/shadow/passwd_4.0.3-31sarge8_sparc.deb

Mandriva

Mandrivalinux 2006
X86
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/2006.0/RPMS/ppp-2.4.3-9.1.20060mdk.i586.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/2006.0/RPMS/ppp-devel-2.4.3-9.1.20060mdk.i586.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/2006.0/RPMS/ppp-dhcp-2.4.3-9.1.20060mdk.i586.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/2006.0/RPMS/ppp-pppoatm-2.4.3-9.1.20060mdk.i586.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/2006.0/RPMS/ppp-pppoe-2.4.3-9.1.20060mdk.i586.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/2006.0/RPMS/ppp-prompt-2.4.3-9.1.20060mdk.i586.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/2006.0/RPMS/ppp-radius-2.4.3-9.1.20060mdk.i586.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/2006.0/SRPMS/ppp-2.4.3-9.1.20060mdk.src.rpm
X86_64
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/2006.0/RPMS/ppp-2.4.3-9.1.20060mdk.x86_64.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/2006.0/RPMS/ppp-devel-2.4.3-9.1.20060mdk.x86_64.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/2006.0/RPMS/ppp-dhcp-2.4.3-9.1.20060mdk.x86_64.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/2006.0/RPMS/ppp-pppoatm-2.4.3-9.1.20060mdk.x86_64.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/2006.0/RPMS/ppp-pppoe-2.4.3-9.1.20060mdk.x86_64.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/2006.0/RPMS/ppp-prompt-2.4.3-9.1.20060mdk.x86_64.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/2006.0/RPMS/ppp-radius-2.4.3-9.1.20060mdk.x86_64.rpm
ftp://ftp.ps.pl/mirrors/Mandrakelinux/official/updates/x86_64/2006.0/SRPMS/ppp-2.4.3-9.1.20060mdk.src.rpm

Identificadores estándar
Propiedad Valor
CVE CVE-2006-2194
BID 18849

Recursos adicionales
Debian Security Advisory (DSA 1106-1)
http://lists.debian.org/debian-security-announce/debian-security-announce-2006/msg00193.html

Debian Security Advisory (DSA 1150-1)
http://lists.debian.org/debian-security-announce/debian-security-announce-2006/msg00239.html

Mandriva Security Advisory (MDKSA-2006:119)
http://www.mandriva.com/security/advisories?name=MDKSA-2006:119

Histórico de versiones
Versión Comentario Fecha
1.0 Aviso emitido 2006-07-10
1.1 Aviso emitido por Mandriva (MDKSA-2006:119) 2006-07-11
1.2 Aviso emitido por Debian (DSA 1150-1) 2006-08-14

Miembros de

CERT
FIRST
TF-CSIRT
EGC Group
UE
Red Nacional de SOC
Foro Nacional de Ciberseguridad
CSIRT.es
Ministerio de Defensa
CNI
CCN
CCN-CERT